On Friday 18 Nov 2005 19:50, Santanu Das wrote:
> Hi Graeme,
>
> On Fri, 2005-11-18 at 17:05, Graeme Stewart wrote:
> > There's definitely a certificate error.
>
> I'm just confused. Look at this:
>
> [root@serv02 grid-security]# openssl x509 -in hostcert.pem -noout -text
Yes, I think this means your public key is fine (that's all that's in
hostcert).
> [root@serv02 cert]# ls -l | grep pem
> -r--r--r-- 1 root root 2399 Nov 18 17:20 serv02-cert.pem
> -r-------- 1 root root 4259 Nov 18 17:19 serv02-key.pem
>
> (I have symbolic links in /etc/grid-security pointing to them.)
> Any other clue(s)?
Try running the openssl command on hostkey.pem too. In particular check the
"Subject Key Identifier"s match in both cases.
>
> > > Starting rgma-servicetool: Site name is changeme.invalid - please
> > > change to actual site name
> >
> > No. That you fix by changing the hostname in
>
> That adds another headache, "rgma.conf" is okay AFAIU.
>
> [root@serv02 grid-security]# cat /opt/glite/etc/rgma/rgma.conf
> Archiver=http://serv02.hep.phy.cam.ac.uk:8080/R-GMA/ArchiverServlet
> Consumer=http://serv02.hep.phy.cam.ac.uk:8080/R-GMA/ConsumerServlet
> StreamProducer=http://serv02.hep.phy.cam.ac.uk:8080/R-GMA/StreamProducerSer
>vlet
> LatestProducer=http://serv02.hep.phy.cam.ac.uk:8080/R-GMA/LatestProducerSer
>vlet
> CanonicalProducer=http://serv02.hep.phy.cam.ac.uk:8080/R-GMA/CanonicalProdu
>cerServlet
> DataBaseProducer=http://serv02.hep.phy.cam.ac.uk:8080/R-GMA/DBProducerServl
>et Registry=http://lcgic01.gridpp.rl.ac.uk:8080/R-GMA/RegistryServlet
> Schema=http://lcgic01.gridpp.rl.ac.uk:8080/R-GMA/SchemaServlet
> XMLConverter=/opt/glite/etc/rgma/XMLResponse.xsd
> leapsecLocation=/opt/glite/etc/rgma/leapsec.dat
That looks ok. Have you restarted RGMA?
>
>
> Our SE and MON are the same box i.e. serv02.hep.phy.cam.ac.uk
> Is that file okay?
Actually perhaps not. I see that our RGMA, after the upgrade, is bound to
8443, which is the DPM srmv1 port. You could switch RGMA back to insecure (in
which case it should revert to 8080), but eventually I think that RGMA will
require a secure install, and probably require port 8443 too.
It is possible, if you are brave, to bind your SRM interface to a different
port (see "man srmv1") - as long as you publish that different port in the
BDII. That's unknown territory though. I can't see any reason why that
wouldn't work, but it's a non-standard, a higher risk and there may be
"unknown unkonwns".
>
> Sorry for giving pre-weekend troubles.
Apologies for not managing a pre-weekend answer.
Cheers
Graeme
--
--------------------------------------------------------------------
Dr Graeme Stewart http://www.physics.gla.ac.uk/~graeme/
GridPP DM Wiki http://wiki.gridpp.ac.uk/wiki/Data_Management
|